'Silence' Gang Ramps Up Bank Assaults

Silence, a Russian-speaking criminal group that has stolen $4.2 million from ATMs and financial institutions since 2016, has become more active this year, using new tools and tactics in its attacks and expanding its reach globally, according to the security firm Group-IB.

In a new report this week, Group-IB researchers also note somewhat of a connection between Silence and another Russian threat group, TA505, which targets financial institutions. Although the actual campaigns run by the two hacker groups don't appear to be connected, tools used by Silence - which uses Silence.Downloader - and TA505 - which uses FlawedAmmyy.Downloader - were developed by the same person, the researchers say.

Silence is an increasingly active and sophisticated group that poses a significant threat to financial institutions around the world, says Rustam Mirkasymov, head of the dynamic malware analysis department at Group-IB. The Singapore-based cybersecurity firm issued its first report on Silence in September 2018, describing a small group that was then evolving into a more global threat.

"Silence is rapidly growing, which is evidenced by the frequency and expanded geography of their operations," Mirkasymov tells Information Security Media Group. "In addition, it should be taken into account that Silence sometimes relies on third-party developers, which indicates that they have extensive lists of contacts on the underground market. We assess with high confidence that Silence will continue enhancing their arsenal and increasing frequency and scale of their attacks worldwide."

(Image: Group-IB)

The criminal group has now become "one of the most sophisticated threat actors targeting the financial sector not only in Russia, but also in Latin America, Europe, Africa and especially Asia," Mirkasymov adds.

Silence has launched at least 16 new campaigns against banks over the last 12 months, according to Group-IB's threat intelligence team. Those have included campaigns in India, Russia, Kyrgysztan, Costa Rica, Bulgaria, Chile and Ghana. It also was behind a $3 million attack on Dutch-Bangla Bank in May, allegedly using so-called "money mules" to withdraw money from ATM's infected with Silence's malware.

Group-IB researchers have seen Silence's communication and control servers communicating with unidentified IPs in the United States and Canada, he notes. But they haven't yet detected a successful Silence attack in either country.

"It does not mean, however, that Silence will never try their hand attacking organizations in North America at some point," he says. "They are growing rapidly, and in just one year have significantly increased the geographical scope of their attacks."

Raking in Cash

In its report last year, Group-IB estimated that Silence had stolen about $800,000 since the cybersecurity company began tracking the group in 2016. In its latest report, Group-IB says the number has increased to $4.2 million over the past 12 months, due in large part to increased activity by the gang and the expanded geography of its attacks. Since January, Silence has infected workstations in more than 30 countries across Europe, Latin America, Africa and Asia, Mirkasymov says.

"The actual damage may be much higher, since the investigation of some attacks committed by Silence continues," he says. "Silence definitely became more active worldwide and now represents one of the most dangerous threats for banks and financial organizations all over the world, which is why we decided to make both reports public."

New Tactics and Tools

Over the past several years, Silence has garnered the attention of cybersecurity researchers, particularly as the group has extended its reach globally. Before April 2018, the group's targets tended to be in 25 post-Soviet states and nearby countries, researchers say. Now, it's reach is far broader.

As the group has drawn scrutiny from Group-IB and other security firms, it has developed more tools to make detection more difficult, Mirkasymov says.

When it first came onto the scene in 2016, Silence was known mostly for what researchers call "ATM jackpotting" or "cash out" scams, which generated the bulk of the $800,000 it stole over its first three years.

Since that time, Silence changed techniques.

The group continues to use its primary loader, Silence.Downloader, which also is known as TrueBot. The cybercriminals, however, now also are using Ivoke, a fileless loader written in PowerShell. Group-IB first detected the use of that loader in May, when Silence sent out phishing emails that appeared to be from the client of a bank asking to have a card blocked. The researchers noted that Silence lagged other groups in using fileless tools, indicating that Silence members initially spent their time studying what other groups were doing before customizing the tools to meet their own needs.

Silence also is using another PowerShell Trojan called EmpireDNSAgent - or EDA - that is based on the Empire and dnscat2 projects, the report notes. EDA is used to control compromised systems by running tasks though a command shell and tunneling traffic by leveraging DNS. Group-IB researchers detected EDA being used in attacks this year on banks in Chile, Bulgaria, Costa Rica and Ghana.

The criminal group, which has used its Atmosphere Trojan to remotely control ATMs, also has started using xfs-disp.exe, another Trojan that was used, for example, during an attack in February on the Russian Omsk IT Bank, the report says. Silence also has changed encryption alphabets, string encryption and commands for the main module and bot, researchers note.

Silence originally used phishing emails to spread its malware, but in October 2018, it started sending out reconnaissance emails that looked like a "mail delivery failed" message, according to the report. The message contains a link, but without any malicious code. Instead, the emails enable the attackers to go undetected while gaining lists of valid emails and information about a company's cybersecurity solutions. In three campaigns across Asia, Europe and former Soviet countries, Silence sent out more than 170,000 of these emails, researchers say.

"There is not a lot of information about Silence's [tactics, techniques and procedures] available in the public domain, which makes it harder to detect and prevent their attacks at early stages," Mirkasymov says. "That is exactly why Silence did not quiet down and could increase the frequency of their attacks. Another factor that allows Silence to remain largely unnoticed is that this APT remains underestimated by the banks worldwide."

About the Author

Burt is a freelance writer based in Massachusetts. He has been covering the IT industry for almost two decades, including a long stint as a writer and editor for eWEEK. Over the past several years, he also has written and edited for The Next Platform, Channel Partners, Channel Futures, Security Now, Data Center Knowledge, ITPro Today and Channelnomics.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;